Joseph
Reputation: 13178
SQL Parameterization vs. Escaping
If your language/database of choice has a built-in function to escape user-input, (for instance, mysql_real_escape_string) what are the arguments for SQL parameterization? Is it possible that mysql_real_escape_string might, at some point, leave an application vulnerable?
I use parameterization because I've been told / have read it's the better way to go, but I don't just want to follow blindly. Any insight? Thanks!
Upvotes: 0
Views: 559
Answers (1)
Pablo Santa Cruz
Reputation: 181280
Arguments for parameterization is performance.
If you are going to execute the following sentence several times:
insert into table (col1, col2) values (?, ?);
It's better to use parameters since the query is going to be evaluated only (parsed, plan analysis and computation) once, and will be executed many times.
Upvotes: 1
Related Questions
- Reasons for Prepared Statements with Bind Parameters over Interpolated Statements with Escaped / Quoted Parameters
- How "parameterized queries/prepared statements" better in SQL injection than escaping user input
- SQL injection concatenation vs parameter
- Internal vs Extenal use of parameterized sql command
- Escaping apostrophe/single quote in parameterized sql in asp
- Should I sanitize inputs to a parametrized query?
- MySQL escaped_strings VS. Parameterised Queries
- Should I escape the input parameters one by one or escape the sql query as a whole?
- Escape SQL strings when Parameterized Queries cannot be used?
- Parameterized SQL statements vs. very simple method